We detected that you uploaded credentials to NAME_OF_REPO. We strongly advise against this as it allows attackers to easily gain unauthorized access to your software and infrastructure.
Have a look at this blog where we discuss alternatives"
EDIT:
Just to be clear, I'm not suggesting a ban at all, just a friendly email in response to commits that introduce credentials to public repos
I personally upload private keys in repos for some test scenarios and examples (dummy private keys of course). I often don’t want to write a test harness to generate the data for each run. Sue me!
Yes, business wise github is a git hosting site. If they started implementing rules on how you structure your application customers would get frustrated and move away.
Just to be clear, I'm not suggesting a ban at all, just a friendly email in response to commits that introduce credentials to public repos
People already mentioned the major use case of testing, but building a blacklist of keys (e.g., the Debian OpenSSL there-are-only-64K-keys fiasco) is a plausible option as well.
I know you mean well but no charge should be introduced to mitigate against this stupidity. You are (probably correctly) assuming that the data in question is genuine. Nonetheless it is none of our business. rm -rf /* does not contain a warning message and that is the way it should be.
Yeah long ago it was not to be the case and rm would happily gobble /, but it started with Sun adding protection. It's been the default in GNU coreutils (hence the vast majority of Linux distros) since 2006.
It's worth pointing out that some of these are configuation examples, illustrations of how to set something up. (Though of course that carries the risk that less thorough users just copy-paste that into production and call it a day.)
You should check out how many services have their entire git repo of their service openly accessible (this allows getting the data out of the git objects, as well as the history).
Quite often you can go to domain.tld/.git/ and find the files if you know their names. Even major sites - The Hill only fixed it in the past few days.
One of the first things I implemented when setting up a company's webserver was to make .git and below return 404. Making those folders visible is a silly idea on SVN, let alone Git.
I was a little surprised to see an Apple domain in there, but I can't really tell what the private key was for (could have been a test or an example). It looks like it's either an outdated result or an Apple engineer quickly saw this and fixed it because the page 404s now.
I've often wondered why they do this; what's the point in offering misleading results?
For instance, there have been times I've searched for something, and it gives back a lot of results, plus it has a pager with seemingly over 50 pages in it.
But - if I say "jump to the last page", suddenly the pager only shows four pages and I'm at the end of page 4...
What the heck is up with that? Sometimes, some really great information is buried under all the SEO'd to hell-and-back crap at the top. That's the info I want, and I don't care if the website owner cares about SEO or whatnot - because they are likely a small-time user (or they just have a very old page or something that hasn't been updated in 20 years)...
Slightly related question about API keys that rely on referer (say Google Vision) - what stops me using curl to spoof referer and rake in thousands in someone’s bill (15 cents per 1k recognitions)?
I assume there’s some IP based quota, but I haven’t seen a knob for that on GCP at least.
This should be enforced on your server and you shouldn’t have clients directly connecting to a service like Google Vision. I have a system that uses AWS lambda so that I don’t have to distribute my 3rd party API keys but I still have to add rate limiting.
At a guess, this is to filter out SSH keys, which have an identical private key format, and we well know already how many of those get committed to GitHub. I think this is to highlight where the server's HTTPS key is visible.
If you mean Jet Propulsion Lab, then no way. I'm sure they're better than that.
The IP block is managed by INetU Inc, which was apparently a cloud hosting company now owned by Canadian telecommunications company Shaw Communications.
This I pure paranoia fuel. I don't think I've done this (or what someone else mentioned about leaving the .git folder open in the server) but I'll double check anyway.
Interesting. Weird response to something that doesn't seem that rare, like someone linking you to the mobile version of a page, just linking you to a different Google culture.
"Hello from github,
We detected that you uploaded credentials to NAME_OF_REPO. We strongly advise against this as it allows attackers to easily gain unauthorized access to your software and infrastructure.
Have a look at this blog where we discuss alternatives"
EDIT: Just to be clear, I'm not suggesting a ban at all, just a friendly email in response to commits that introduce credentials to public repos